Hardening Nginx SSL/TSL Configuration

Days ago I had to investigate a SSL issue in one of my customer’s servers, he installed a SSL certificate but the Nginx SSL configuration was not hardened at all, so he was getting a very poor grade while checking his site at SSL Server Test.

In the same case, if you have a grade lower than A, you should try to optimize your Nginx SSL configuration. Here are some tips to harden your Nginx SSL Configuration.
1) Protocol Support

By saying “SSL” you should think it’s one single security protocol, but in fact it is not. One thing you have to know is there are many “SSL” protocols:

SSL 1.0 – SSL 2.0 – SSL 3.0

TLS 1.0 – TLS 1.1 – TLS 1.2

Both, SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols which are designed to provide communication security over the Internet. However, at present, SSL v1, v2 and v3 are more insecure than TLS protocols. TLS it’s the default used on most SSL servers as it is a more robust security protocol than it’s predecesor (SSL).

So, first step is disable old SSL protocols, most people disable only sslv2, however if TLS 1.0 suffers a downgrade attack, the attacker could force a SSLV3 connection and break the SSL PFS (perfect forward secrecy), a key part of the SSL cryptographic system.

As of version 1.4.4 Nginx still rely on OpenSSL for input parameters to Diffie-Hellman cryptographic protocol. This means that DHE (Ephemeral Diffie-Hellman) will use OpenSSL’s default cryptographic values, this will result in a 1024-bit key. Today most people use 2048-bit certificates, so we need to generate a stronger DHE parameter in our server:

cd /etc/ssl/certs && openssl dhparam -out dhparam.pem 2048

Now configure Nginx at http or server block level to use the new parameters:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

4) HSTS

If you are able, you should consider enabling HSTS (HTTP Strict Transport Security) mechanism, which let browsers to communicate with your websites only over HTTPS protoocl. This mechanism is very important to reduce man in the middle attacks, for examle. In order to enable HSTS on Nginx, you shoul need to add this code to your virtual host or server block of your site: